Suspicious HWP Sub Processes

Hunt Hypothesis

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Detection Rule

Sigma (Original)

title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
    - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
    - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
    - https://twitter.com/cyberwar_15/status/1187287262054076416
    - https://blog.alyac.co.kr/1901
    - https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.t1566.001
    - attack.execution
    - attack.t1203
    - attack.t1059.003
    - attack.g0032
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Hwp.exe'
        Image|endswith: '\gbb.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\Hwp.exe" or ActingProcessName endswith "\\Hwp.exe") and TargetProcessName endswith "\\gbb.exe"

Required Data Sources

Sentinel Table	Notes
`imProcessCreate`	Ensure this data connector is enabled

False Positive Guidance

Unknown

MITRE ATT&CK Context

Tactic: Initial Access
Tactic: Execution
Technique: T1566.001 — T1566.001
Technique: T1203 — T1203
Technique: T1059.003 — T1059.003

Suspicious HWP Sub Processes

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References